Clean Up Your AJAX Security

The new buzz in Web development is AJAX (Asynchronous JavaScript and XML) -- an abstract collection of Web technologies that enables developers to create richer, more user-friendly sites. AJAX is cool. But it can also be a portal to pernicious security vulnerabilities. The task of identifying and thwarting these security threats is concisely addressed in Jason Schmitt's "Secure ASP.NET AJAX Development."

Written by a Web developer for Web developers (Schmitt is group product manager for SPI Dynamics-a Web application security assessment and testing firm), this book is served up as a Digital Short Cut. A 93-page PDF document from a series that, according to the publisher, "... is tightly focused on a specific technology or technical problem," and "designed specifically for busy technical professionals like you." It delivers on both counts.

More Than Microsoft
As the title suggests, the book is geared toward securing Web 2.0 applications running Microsoft ASP.NET AJAX (formerly code-named "Atlas"; version 1 was released last month). However, many of the concerns are relevant to any developer using an AJAX-enabled approach. Divided into four sections, Schmitt begins with a nice overview of AJAX concepts, script libraries (Yahoo! User Interface Library, the Dojo JavaScript toolkit and the Prototype JavaScript Framework), code generators (Google Web Toolkit) and application frameworks, including a good explanation of the history of Atlas and its evolution into ASP.NET AJAX. His explanations are concise and illustrated
where appropriate.

He then devotes his attention to detailing the security pitfalls of AJAX and how the introduction of AJAX into even a previously secure Web application can result in dire security risks for both the server and client. Tactics such as cross-site scripting, cross-site request forgery, SQL/XML injection and XML bombing are scary. Coupled with the advent of cross-domain requests on "mashup" sites that aggregate content and the ever-growing tide of Service-Oriented Architectures (SOAs) that rely on AJAX, all of these approaches expose security risks that should make any Web developer tremble.

In the third section, Schmitt offers practical principles for securing your ASP.NET AJAX Web application from the very threats described in the previous section. This is the heart of the book. Each principle is described and further clarified through short examples of C# code. This is clearly targeted at those who develop on the ASP.NET platform, and he offers some nifty ways to leverage the security features of ASP.NET for AJAX. A fair level of programming expertise is assumed and the approach is not so much how-to-do as a what-you-should-do.

Last, there's a brief but invaluable section on ASP.NET AJAX security testing, replete with testing tools for threat modeling, proxies and code analysis. There's also a chart summarizing each security principle and the protection it provides, plus a handy security check list-resources that should be part of any savvy Web developer's arsenal.

Schmitt writes with a direct, no-nonsense voice: "No matter how you try to obscure your markup or client-side scripting, it is absolutely vulnerable to reverse engineering and manipulation-without exception." He can also drive home some oft over-looked facts about AJAX. To wit, "... your users have to have JavaScript enabled in their browsers for your AJAX application to work."

Digital Downside
There are a few grumbles with the PDF. One of the nice features of the format is embedded links. One click whets your curiosity. No
laborious replication of the printed link into the browser's address bar is required. This e-book makes nice use of this feature in the URLs of the notes. However, there are several places in the text where a hyperlink would be welcome. For example, under both "Security Testing Tools" and "Code Analysis Tools" the text offers up several resources, all unlinked. Sure, a quick copy-and-paste of the names into a search engine will get you to the tool, but just as quick is the PDF's caveat: "You may copy 8 [7, 6, 5 ...] selections in this document in the next 30 days. Would you like to continue?" Very annoying, especially if you want to copy some of the code snippets, too.

This limit on copies is only evident in the PDF purchased from the Addison-Wesley Web site. If you download it from Safari Books Online you can cut-and-paste at will. However, the book has a portrait format, whereas the one from the publisher's site is in much more readable landscape format. At present it
is not available from Amazon.com.

These are minor annoyances. It is the content that matters. So, for the price of a couple of venti lattes, download this book. It's an interesting read and, it offers practical advice on how to make your ASP.NET AJAX Web applications more secure.